Marks & Spencer Breach Proves That Even IT Experts Can Be Fooled

---

When most IT professionals think about phishing, they picture employees in accounting clicking on fake invoices or someone in HR opening a malware-laden attachment. While those are legitimate risks, there’s another department that bad actors are especially interested in targeting, and compromising one of these employees’ accounts can be a gold mine. IT team members often have privileged access to critical parts of a company’s infrastructure. As a recent high-profile cyberattack in the U.K. demonstrated, the consequences of a successful phishing attack on an IT staffer can be catastrophic.

---

---

Inside the cyberattack that crippled Marks & Spencer

---

Marks & Spencer (M&S), a major British retailer known for its upscale food and stylish yet affordable clothing, experienced a devastating cyberattack over the Easter holiday in April 2025. This incident was one of a trio of cyberattacks on major U.K. retailers that weekend, including hits on Harrods and the Co-Op. While damage was minimal and the attack was quickly contained at Harrods and the Co-Op, M&S did not fare so well.

The breach at Marks & Spencer (M&S) began with a deceptively simple tactic: social engineering at the help desk. Threat actors from the DragonForce operation launched spear-phishing attacks by impersonating employees and contacting IT help desk staff with seemingly routine login issues. Their goal was to convince the help desk to reset the fake employees’ credentials, giving the attackers a direct path into the retailer’s critical technology infrastructure. They succeeded, kicking off a disruptive and highly publicized cyber disaster for M&S.

Once the attackers successfully executed the credential reset, they deployed ransomware to steal data and bring the retailer’s operations to a standstill. The attack triggered a cascade of disruptions, halting online orders, disabling some payment systems and snarling curbside pickup. The breach prompted a full-scale crisis response, with IT teams working around the clock over Easter weekend.

Their efforts were only partly successful. While the retailer’s IT team was able to limit the damage enough for the company’s brick-and-mortar stores to remain operational, contactless payments were briefly knocked out and stock availability was limited in some stores. M&S’s online operations were hit much harder. The company was left unable to process online or app-based orders and halted click-and-collect services for three weeks.

---

---

Inadequate planning results in chaos and confusion

---

Insufficient planning appears to be one of the main reasons Marks & Spencer was hit so hard by this attack. While the company stated it had an incident response and business continuity plan in place and had conducted executive-level drills within the past year, reports from insiders tell a different story. According to Sky News, internal sources claimed that the retailer lacked a viable incident response or business continuity plan. As a result, the company’s reaction to the attack was disorganized and reactive, leaving employees across departments scrambling to respond as systems failed.

The situation became so dire that some IT staff reportedly slept in their offices over the holiday weekend to contain the damage. With official internal communications and systems disrupted, employees resorted to using personal devices in an ad-hoc fashion, including WhatsApp for communication instead of the company’s official platform, Microsoft Teams. The report contended that employees felt like they were left in the dark, uncertain about the steps they should be taking. The overall response highlighted a critical lack of preparedness, emphasizing the need for IT leaders to ensure that incident and business continuity response plans are realistic, tested and widely understood.

---

---

Costs rise in the aftermath of the attack

---

The attack has had a seismic impact on the venerable retailer’s financial picture. Analysts estimate the attack has resulted in staggering weekly losses to date of an estimated $32 million in clothing and home sales and $21 million in in-store food sales. Those expected losses have undermined investor confidence. As of May 13, M&S’s share price has fallen 15%, with more than $1 billion wiped off its market value.

Losses are likely to continue for M&S, as surveys indicate that a significant portion of consumers discontinue shopping with retailers that suffer cyberattacks. While payment information and passwords were not accessed, customers’ personal data, including names, addresses and order histories, were stolen. That loss of data could result in a loss of trust between the retailer and shoppers. About 60% of consumers said they would likely avoid a breached retailer, with higher-income consumers even more likely to do so (74%).

---

---

Why IT teams are prime phishing targets

---

While IT professionals typically recognize and avoid low-effort phishing attempts, when they do fall victim to a cybercriminal’s lure, the effects are explosive. IT and engineering staff receive nearly twice as many targeted phishing emails as other departments because compromising an IT team member is more likely to give adversaries the keys to the kingdom, like access to:

• Administrator accounts and privileged credentials
• Critical infrastructure and sensitive systems
• Cloud environments, SaaS platforms and remote access tools
• Security settings, monitoring tools and backup controls
• Intellectual property, proprietary business data and financial systems
• Customer, employee and internal communications data

Help desks, in particular, sit at a dangerous intersection, balancing user support and privileged access, often under pressure to resolve tickets quickly.

---

---

New NCSC guidance emerges in the wake of the M&S attack

---

These events are a wake-up call: Technical knowledge alone won’t prevent an IT staffer from being socially engineered into making a costly mistake. Even seasoned admins can be tricked when the phishing message is cleverly crafted to maximize authenticity.

Following the M&S attack, the U.K.’s National Cyber Security Centre (NCSC) released updated security recommendations relevant for any IT professional:

• Enforce MFA everywhere: Ensure multifactor authentication is deployed across all systems, especially for admin accounts.
• Monitor for risky logins: Use tools like Microsoft Entra ID Protection to detect unusual account activity, including logins from residential VPNs or unusual locations.
• Audit privileged accounts regularly: Verify that all domain, enterprise and cloud admin accounts have legitimate access and remove stale or unnecessary permissions.
• Review help desk protocols: Strengthen identity verification processes before password resets, no exceptions, even under time pressure.
• Train all staff regularly (including IT staff): Be sure your IT team receives the same level of phishing awareness training as other departments. Tailor content to reflect the unique threats IT staff face.
• Don’t let anyone avoid training: Managers receive more than twice as many phishing emails than rank-and-file employees.

---

---

The takeaway: every user is at risk every day

---

The U.K.’s NCSC cautioned that the department has handled 200 nationally significant incidents since September 2024, double the number from the same period the prior. Many involve increasingly sophisticated social engineering. These attacks show that even the most technical teams are vulnerable if proper safeguards and training aren’t in place. Because when IT falls, the whole business falls harder.

Kaseya 365 User is a user-centric cybersecurity subscription that provides comprehensive, multi-layered protection across today’s evolving attack surface. Unlike traditional endpoint solutions, it safeguards users wherever they work, not just their devices, while streamlining security management for IT teams. 

See how Kaseya 365 User can transform your user protection strategy. 

---

---